Court: Hijacking ex-employee’s LinkedIn account violates PA law

Judge found misappropriation of employee's identity but no damages.

Last year we covered the case of Linda Eagle, whose former employer, Edcomm, kept control of her LinkedIn account after firing her. In his October ruling, Judge Ronald Buckwalter of the District Court in Eastern Pennsylvania rejected the theory that taking control of a former employee's LinkedIn account violated the anti-hacking provisions of the Computer Fraud and Abuse Act. But in a Tuesday ruling, Judge Ronald Buckwalter found that seizing an employee's LinkedIn account can constitute unauthorized use of the employee's name and likeness under Pennsylvania law.

Edcomm's takeover of Eagle's LinkedIn account was an awkward affair. Eagle had shared her password with another Edcomm employee so that the employee could help her manage it. When she was terminated, the other employee was instructed to change the password, freezing her out of the account. Edcomm then replaced the name, picture, and most of the information in her account with information about Eagle's replacement as Edcomm's CEO.

But the account still had the URL "http://www.linkedin.com/in/lindaeagle," and it was still linked to about 4000 of Eagle's professional contacts. Eagle, a recognized figure in her field, charged that Edcomm was effectively using her name to drum up business without her consent. Someone who Googled Eagle's name hoping to do business with her would be likely to find himself on the LinkedIn page of Eagle's successor at Edcomm.

Judge Buckwalter agreed, holding that Edcomm had violated three Pennsylvania laws: unauthorized use of Eagle's name for commercial purposes, invasion of privacy by misappropriation of identity, and misappropriation of publicity. He rejected several other charges, including identity theft, conversion, and tortious interference with contracts.

But Eagle was not able to put a dollar figure on the Edcomm's harms to her. Since she had generated at least $1 million in revenue from her 4000 contacts, she had argued that each contact was worth $250 per year, on average. And since she had been locked out of her account for 3 months (LinkedIn eventually intervened and returned it to her) she argued that she was owed almost $250,000.

But Judge Buckwalter rejected this math as too speculative. "Aside from her own self-serving testimony that she regularly maintained business through LinkedIn," he wrote, "Plaintiff failed to point to one contract, one client, one prospect, or one deal that could have been, but was not obtained during the period she did not have full access to her LinkedIn account."

The result was a Pyrrhic victory for Eagle. She won on the legal merits, but because she couldn't put a dollar figure on her harms within the court's parameters, she wasn't able to recover damages.

A couple of clear lessons emerge from the incident. First, if employers encourage employees to use social media accounts as part of their work, they should have clear, written policies about who owns them and what will happen to them when the employee leaves the company. Second, filing a lawsuit over control of a social media account is generally a waste of time and money. Even if the plaintiff wins the lawsuit, the damages are unlikely to be sufficient to cover the expenses of litigation.

Timothy B. Lee
Timothy covers tech policy for Ars, with a particular focus on patent and copyright law, privacy, free speech, and open government. His writing has appeared in Slate, Reason, Wired, and the New York Times. Emailtimothy.lee@arstechnica.com//Twitter@binarybits

That's why I never got on Facebook on my work computer is because of this very reason. You never know when your former employer will do something shady like this and I wouldn't put it past anyone. I mean, you have friends who would get on your Facebook to post something obscene that you never did so why put it past a former employer to hack your social media accounts if they can?

damages are unlikely to be sufficient to cover the expenses of litigation

Which frankly is one of the huge problems with the whole legal system today.

Which makes it obvious there ARE damages; she was willing to litigate at her own personal financial risk over it, because the loss was worth more than what she risked in legal fees. Therefore, she should be awarded AT A MINIMUM two times her total legal fees.

Couldn't she just pull a number from her arse? it works for the mafiaa/mpaa?

Just becuase someone else does something bad/stupid/whatever doesn't mean we should in other cases. Quite the contrary, we should hold ourselves to a higher standard. Mind, I do believe turnabout is fair play, so if someone sued the **AA and won I would be all for pulling some astronomical damage figures out of their ass.

This case is one reason I believe loser should pay: if you're found to have been actively wronged, you shouldn't, long-term, have to pay for it yourself.

It's stunning to me that the leadership of a company thought this was a good idea and that employees were willing to be complicit. I understand that keeping a job is important in today's economy but I'd think that somewhere along the line someone would have said, "Wait, you want me to do what? I think that might be illegal, maybe we should rethink this."

Another lesson is that employers, companies who want an online presence through such social or commercial sites, should handle all such matters by company name or role, not by individual employee names. I mean, would you set up a large company's business page at Facebook with the current marketing director's name in the URL? No, that's just stupid. You'd use some form of the company name. Sure, a designated employee might access and administer it with their own account credentials, but the page belongs to the company. If LinkedIn or the site in question doesn't allow anything but private individual accounts, then it's clearly the wrong place for whatever you're trying to do there.

The incident really illustrates that many businesses are still, even at this late date, struggling with their online presence and identities. Maybe they've been farming it all out to web designers, PR firms and SEO specialists for so long that no one in the business community actually has any clue. Hard to believe.

Why didn't she change her password to her account when she left? That would have kept this from happening. If the answer is because she didn't know how to log into the account and do it then how did she manage to become CEO?

Why didn't she change her password to her account when she left? That would have kept this from happening. If the answer is because she didn't know how to log into the account and do it then how did she manage to become CEO?

Maybe she didn't assume she would need to change it 'right this second' as soon as she was gone. Maybe they changed it while informing her of her termination. These details aren't listed but when I change jobs I don't immediately change every password to all my social media accounts that day. Usually takes a few days and only if I was lazy and had my work machine remember password.

I think it's wrong to say future people who run into the same problem can't ask for damages. The problem was in the way she (or her lawyer) went about calculating it. I think that in discovery the lawyer should have asked for any new business that had been received by the old company from anyone of her old contacts. Then based on that business you could then depose some of the contacts to see how they searched for it. If they had gotten it by searching on her name, or because someone had reached out to them from linked-in, then you would have a figure to point to.

that's a bit strange. the entertainment industries can never put a dollar figure on their supposed losses through file sharing, but the judges in those cases always award the maximum $140,000 per supposed infringement. could it be that, as usual, when it is an ordinary member of the public (all be it in this case a well paid ordinary member of the public) that the courts look on claims as being completely different (and irrelevant) to when it's a massive, multimillion dollar company? certainly seems to be that way to me!!

that's a bit strange. the entertainment industries can never put a dollar figure on their supposed losses through file sharing, but the judges in those cases always award the maximum $140,000 per supposed infringement.

The statutes for those cases have dollar amount ranges written into them for the judge to use. Not so in this case.

that's a bit strange. the entertainment industries can never put a dollar figure on their supposed losses through file sharing, but the judges in those cases always award the maximum $140,000 per supposed infringement.

The statutes for those cases have dollar amount ranges written into them for the judge to use. Not so in this case.

Translation: the big guy has the system stacked in his favor against the little guy.

I mean the company's case is not as weak as people think. Many places don't let you take the rolodex you generated at work with you when you leave.

Then I would say that they'd need to prove that all her contacts in that account were made when she was their employee and that all those contacts where clients/customers of the company. Otherwise it's the equivalent of them taking your own personal address book, which may include names and numbers of clients/customers that you've met while working there.

Stupid! Why would you give another employee your pwd? She likely wouldn't have had any problems if they hadn't known her password to begin with. Although, if they pulled it from some monitoring system...of course that would have been a different beast in court IMHO.

I think it's wrong to say future people who run into the same problem can't ask for damages. The problem was in the way she (or her lawyer) went about calculating it. I think that in discovery the lawyer should have asked for any new business that had been received by the old company from anyone of her old contacts. Then based on that business you could then depose some of the contacts to see how they searched for it. If they had gotten it by searching on her name, or because someone had reached out to them from linked-in, then you would have a figure to point to.

Note: I am not a lawyer.

While I agree, I think this is a case of hindsight being 20/20, Considering the amount of times courts award statutory damages in litigation because of squidgy numbers that could or could not be put forth, I don't think they were too far field in the numbers they did ballpark out there. It could have just as easily been a judge that had next to no knowledge on the "new-fangled" social media (we've seen these judges in other cases--let's be honest) and could have bought it all.

So really it wasn't the best gambit to take, but on the other hand it was at least a fair attempt on their part to put a price. They just lost the jackpot on the judge they got having a reasonable clue.

I think it's wrong to say future people who run into the same problem can't ask for damages. The problem was in the way she (or her lawyer) went about calculating it. I think that in discovery the lawyer should have asked for any new business that had been received by the old company from anyone of her old contacts. Then based on that business you could then depose some of the contacts to see how they searched for it. If they had gotten it by searching on her name, or because someone had reached out to them from linked-in, then you would have a figure to point to.

Note: I am not a lawyer.

It's nothing to do with the way they calculated it and everything to do with the fact that she simply couldn't prove any actual loss. If she could have pointed to a lost contract or business lead or anything else, the calculation would then have been brought into play. As it was, the order never even [i]got[i] to the method of calculation because there was no loss to value. Being deprived of potential income is not a legal claim. It has to be an actual loss that can be proven to be directly related to the bad act of the other party.

One thing I wonder is if she had a contract with the company that specifies prevailing party is awarded attorney's fees in any legal proceeding. Such clauses are pretty standard and wouldn't necessarily be brought up as a matter for this court. Often-times they're simply dealt with later since it's a separate issue, legally, and that makes it easier to keep the payment for those out of the public eye.

that's a bit strange. the entertainment industries can never put a dollar figure on their supposed losses through file sharing, but the judges in those cases always award the maximum $140,000 per supposed infringement.

The statutes for those cases have dollar amount ranges written into them for the judge to use. Not so in this case.

Precisely. This sort of case is exactly why statutory damages exist. It's often incredibly difficult to legally prove one's actual damages. Legislators, in some cases, recognize that without such statutory damages the laws they draft would be toothless. Another good example of statutory damages is in the Fair Debt Collection Practices Act. In cases of bad faith on the part of a collector, one can be awarded actual damages, up to $1000 in statutory damages and attorney's fees.

My point is that statutory damages are not an inherently bad thing. In the case of copyright law, they are far out of whack with what we now see as justice but, originally, they were targeting actual criminals, not just average folks wh shared a single song. It is that discrepancy which needs clarification.

Now is Edcomm on the hook for her attorney fees? I would think they should at least be on the hook for that. But she must have been dreaming when she said that they owe her $250k because she could have lost a sale if a contact or person went to her LinkedIn page. She probably would have gotten something if she had a contact or three testify for her, evidence of damage done and not just "if's", and was asking for something in the low to mid 5 figure range.

People who give out their login info for personal/private type of services to employers should have to wear a "Hello I'm an idiot" name tag, especially if the excuse is you need someone to help you manage it. Unless the company provides the account for the employee to modify, then I can see them having it but still need to have some type of written policy on the books.

It's easy to put actual damages of at least $3,500-7,000. How do I come to that? Simple. Federal minimum wage is $7.25 and LinkedIn is used to find a job. Assuming she spends about 8 hours per day during the work week to look for a new job, she would have made $3,500 during those three months had she been working. Now given that people search for new job posts throughout the day, and even beyond the work day or even the work week, it could easily be argued that job hunters spend about 10-12 hours per day each week. So it's not unfathomable to ask for $7,000. It's easy to say that a LinkedIn profile with 4,000 contacts is definitely worth $7,000, and probably much, much more. After all, those 4,000 contacts are people that could and probably will help you get a job interview.